In another instance, in 2021, a cyberattack on Ireland's health system paralyzed its health services for a week, cutting off access to patient records, delaying Covid-19 testing and forcing cancellations of medical appointments.
Many of the vulnerabilities currently present in connected medical devices come from the lack of cybersecurity protection, device integrity and encrypted transfer of information. The issue is neither the ignorance of the cyber threat, nor an unwillingness to address it, but rather the fact that device makers have relied on physical and security through obscurity risk controls in lieu of investing in stronger security technologies. New technologies have been adopted rapidly for their life-saving functions, but an adequate assessment of their cyber-related risks is needed.
One of the most effective solutions in building a strong cybersecurity foundation into medical devices is incorporating an encryption protocol that verifies the trustworthiness and can authenticate the communication between devices and host systems. In cryptography, this is referred to as a Public Key Infrastructure (PKI), a trusted and widely used practice.
Why a PKI is essential for medical devices A PKI refers to a set of cybersecurity tools that facilitate the secure electronic transfer of information over a given network. Fundamentally, a PKI manages digital certificates and public keys for authentication and encryption. Traditional authentication methods (such as passwords) may be effective in the short term but create longer-term administration challenges. A PKI ensures an effective and trustworthy authorization protocol that is scalable for long-term protection.
PKI ensures every device has a cryptographic certificate that it can use to prove its identity to other devices and generate secure encryption keys for inter-device communication. This way, if a threat actor were to infiltrate the network, they would be unable to decipher the communications, and legitimate devices would refuse to communicate directly with the unauthorized intruder.
In the ideal scenario, MDMs should choose to have PKI as a cloud solution managed by a trusted third party. The advantages of outsourcing are that deployment is managed and centralized, taking care of any additional roll-out costs or future patching requirements. A cloud solution also offers flexibility in terms of updates and scalability to match all IT needs. As a well-established solution, PKI dispels much of the fear around incompatibility and control.
I couldn't agree more with your assessment and strategy. Having been in the MDI space for over 20 years, I dare say that when it seems logical to include this technology in the R and D cycle, it is quickly demoted or sidelined for fiscal reasons. Risk assessments have yet to take into account the real world damage that could occur. They just don't know enough to evaluate it.
The good news is that from an innovation space, it has become a topline issue. It's just going to take a while for it to catch up to current design space processes. Keep talking, someone will pay attention.
John Voorhees
PKI Necessity
April 13, 2023 10:30
I couldn't agree more with your assessment and strategy. Having been in the MDI space for over 20 years, I dare say that when it seems logical to include this technology in the R and D cycle, it is quickly demoted or sidelined for fiscal reasons. Risk assessments have yet to take into account the real world damage that could occur. They just don't know enough to evaluate it.
The good news is that from an innovation space, it has become a topline issue. It's just going to take a while for it to catch up to current design space processes. Keep talking, someone will pay attention.
Best,
JDV
to rate and post a comment